Healthcare Cybersecurity

NSA Warns of Authentication Mechanism Abuse to Gain Access to Cloud Resources

Posted by HIPAA Journal

The U.S. National Security Agency (NSA) has issued an alert that warns about two hacking techniques that are currently being used by threat groups to gain access to cloud resources containing protected data. These techniques abuse authentication mechanisms and allow attackers to steal credentials and maintain persistent access to networks.

These techniques have been used by the threat actors who compromised SolarWinds Orion platform. The hackers behind the attacks have yet to be identified, but some evidence has emerged that suggest this is a nation state attack by a Russian threat group, possibly APT29 (Cozy Bear). Secretary of State Mike Pompeo said in a radio interview on Friday that “now we can say pretty clearly that it was the Russians that engaged in this activity,” although on Saturday President Trump downplayed the attack and suggested there is a possibility China is responsible, although President Trump is largely alone in having that viewpoint.

The SolarWinds Orion platform supply chain attack was used to push malware out to customers through the SolarWinds software update mechanism, but that is one of several methods currently being used to compromise public and private sector organizations and government agencies.

“Initial access can be established through a number of means, including known and unknown vulnerabilities,” explained the NSA in its alert. “The recent SolarWinds Orion code compromise is one serious example of how on-premises systems can be compromised, leading to abuse of federated authentication and malicious cloud access.”

Once initial access had been gained, through the SolarWinds compromise for example, the techniques described in the alert are used to gain additional privileges through the forging of credentials to maintain persistent access. The NSA has provided guidance on how to detect attacks and mitigate against them, regardless of how the initial access is gained. The NSA notes that these tactics are not new and have been used by threat actors since at least 2017 and continue to be effective.

The techniques described in the alert involve the use of compromised authentication tokens and abuse of compromised system administration accounts in Microsoft Azure and other cloud platforms once a local network has been compromised.

The first technique involves compromising an on-premises federated identity provider or single sign-on (SSO) system. These systems allow organizations to use the authentication system they already own to grant access to resources, including cloud services. These systems use cryptographically signed automated messages – assertions – which are shared via Security Assertion Markup Language (SAML) to show that users have been authenticated. Threat actors are abusing the authentication mechanism to gain illicit access to a wide range of assets owned by organizations.

The attackers either steal credentials or private keys from the SSO system that allow them to sign assertions and impersonate a legitimate user and gain sufficient privileges to create their own keys and identities, as well as their own SSO system. The second approach involves compromising admin accounts to assign credentials to cloud application services, after which the attackers call for the application’s credentials to gain automated access to cloud resources.

The NSA has warned that threat actors are continuing to exploit the recently disclosed command injection vulnerability in VMware products (CVE-2020-4006). In one case cited by the NSA exploitation of this vulnerability allowed initial local network access to be gained, rather than the SolarWinds method. The techniques described in the alert were then used to gain access to cloud resources. A patch has been released to correct the flaw affecting VMware products. The patch should be applied as soon as possible. Users of SolarWinds Orion should follow the previously published mitigations.

These attack methods to gain access to cloud resources do not exploit vulnerabilities in cloud infrastructure, federated identity management, the SAML protocol, or on-premises and cloud identity services, instead they abuse trust in the federated identity system.

“The security of identity federation in any cloud environment directly depends on trust in the on-premises components that perform authentication, assign privileges, and sign SAML tokens. If any of these components is compromised, then the trust in the federated identity system can be abused for unauthorized access,” said the NSA.

To prevent the new techniques from being successfully used to gain access to cloud resources, the NSA recommends the following:

  • Lock down SSO configuration and service principle usage
  • Harden systems running on-premises identity and federation services
  • Monitor logs for suspicious tokens that do not match the organization’s baseline for SAML tokens.
  • Audit tokens to detect anomalies
  • Examine logs for suspicious use of service principles
  • Look for unexpected trust relationships that have been added to Azure Active Directory

The post NSA Warns of Authentication Mechanism Abuse to Gain Access to Cloud Resources appeared first on HIPAA Journal.

OCR HIPAA Audits Industry Report Identifies Common Areas of Noncompliance with the HIPAA Rules

Posted by HIPAA Journal

The Department of Health and Human Services’ Office for Civil Rights has published its 2016-2017 HIPAA Audits Industry Report, highlighting areas where HIPAA-covered entities and their business associates are complying or failing to comply with the requirements of the Health Insurance Portability and Accountability Act.

The Health Information Technology for Economic and Clinical Health (HITECH) Act requires the HHS to conduct periodic audits of HIPAA covered entities and business associates to assess compliance with the HIPAA Rules. Between 2016 and 2017, the HHS conducted its second phase of compliance audits on 166 covered entities and 41 business associates to assess compliance with certain provisions of the HIPAA Privacy, Security, and Breach Notification Rules.

The 2016/2017 HIPAA compliance audits were conducted on a geographically representative, broad cross-section of covered entities and business associates and consisted of desk audits – remote reviews of HIPAA documentation – rather than on-site audits. All entities have since been notified of the findings of their individual audits.

The 2016-2017 HIPAA Audits Industry Report details the overall findings of the audits, including key aspects of HIPAA compliance that are proving problematic for covered entities and business associates.

In the report, OCR gives each audited entity a rating based on their level of compliance with each specific provision of the HIPAA Rules under assessment. A rating of 1 indicates the covered entity or business associate was fully compliant with the goals and objectives of the selected standards and implementation specifications. A rating of 2 means the entity substantially met the criteria and maintained adequate policies and procedures and could supply documentation or other evidence of compliance.

A rating of 3 means the entity minimally addressed the audited requirements and had made some attempt to comply, although had failed to comply fully or had misunderstood the HIPAA requirements. A rating of 4 means the entity made negligible efforts to comply, such as supplying policies and procedures for review that were copied directly from an association template or providing poor or generic documentation as evidence of training.  A rating of 5 means OCR was not provided with evidence of a serious attempt to comply with the HIPAA Rules.

The table below summarizes the audit results on key provisions of the HIPAA Rules. The blue and red figures indicate the most common rating in each category, with blue corresponding to mostly ratings of 1 or 2 (compliant) and red indicating implementation was inadequate, negligible, or absent.

The table clearly shows that most audited entities largely failed to successfully implement the HIPAA Rules requirements.

OCR 2016-2017 HIPAA Audits Industry ReportMost covered entities complied with the requirement of the Breach Notification Rule to send timely notifications in the event of a data breach. HIPAA requires those notifications to be sent within 60 days of the discovery of a data breach; however, most covered entities failed to include all the required information in their breach notifications.The audits revealed widespread compliance with the requirement to create and prominently post a Notice of Privacy Practices on their website. The Notice of Privacy Practices gives a clear, user friendly explanation of individuals’ rights with respect to their personal health information and details the organization’s privacy practices. However, most audited entities failed to include all the required content in their Notice of Privacy Practices.

The individual right of access is an important provision of the HIPAA Privacy Rule. Individuals have the right to obtain and inspect their health information. Most covered entities failed to properly implement the requirements of the HIPAA Right of Access, which includes providing access to or a copy of the PHI held within 30 days of receiving a request and only charging a reasonable cost-based fee for access.

The first phase of HIPAA compliance audits conducted by OCR in 2012 revealed widespread noncompliance with the requirement to conduct a comprehensive, organization-wide risk analysis to identify vulnerabilities and risks to the confidentiality, integrity, and availability of protected health information. In its enforcement activities over the past 11 years, a risk analysis failure is the most commonly cited HIPAA violation.

HIPAA covered entities are still failing in this important provision of the HIPAA Security Rule, with the latest round of audits revealing most audited entities failed to implement the HIPAA Security Rule requirements for risk analysis and risk management.

“The audit results confirm the wisdom of OCR’s increased enforcement focus on hacking and OCR’s Right of Access initiative,” said OCR Director Roger Severino. “We will continue our HIPAA enforcement initiatives until health care entities get serious about identifying security risks to health information in their custody and fulfilling their duty to provide patients with timely and reasonable, cost-based access to their medical records.”

You can view the full 2016-2017 HIPAA Audits Industry Report on this link: https://www.hhs.gov/sites/default/files/hipaa-audits-industry-report.pdf.

The post OCR HIPAA Audits Industry Report Identifies Common Areas of Noncompliance with the HIPAA Rules appeared first on HIPAA Journal.

House Passes Bill Calling for HHS to Recognize Adoption of Cybersecurity Best Practices When Making Regulatory Determinations

Posted by HIPAA Journal

A new bill (HR 7988) has been passed by the House Energy and Commerce Committee which seeks to amend the HITECH Act to require the Department of Health and Human Services to recognize whether cybersecurity best practices have been adopted by HIPAA-covered entities and business associates when making certain determinations, such as financial penalties following security breaches or for other regulatory purposes.

The HIPAA Safe Harbor Bill, if signed into law, would reward covered entities and business associates that have met cybersecurity practices through reduced financial penalties and shorter compliance audits. The legislation calls for the HHS Secretary to consider whether the entity has adequately demonstrated recognized security practices have been in place for no less than 12 months, which may mitigate financial penalties, result in an early, favorable termination of an audit, or mitigate other remedies which may otherwise have been agreed with respect to resolving potential HIPAA Security Rule violations.

The bill defines ‘Recognized Security Practices’ as “standards, guidelines, best practices, methodologies, procedures, and processes developed under section 2(c)(15) of the National Institute of Standards and Technology Act, the approaches promulgated under section 405(d) of the Cybersecurity Act of 2015, and other programs and processes that address cybersecurity and that are developed, recognized, or promulgated through regulations under other statutory authorities.”

The bill also confirms that its aim is to reduce potential sanctions, penalties, and the length of audits when cybersecurity best practices are followed, and not to give the HHS the authority to increase audit lengths, fines, and penalties when an entity is discovered not to be in compliance with recognized security standards.

The bill easily passed the house vote and is expected to pass the Senate vote next week. The bill has received considerable support from many health IT industry stakeholder groups, including HITRUST. HITRUST believes the legislation will help to improve the cybersecurity posture of the healthcare industry, will encourage healthcare organizations to take a more proactive approach to HIPAA compliance, and will ensure entities that have achieved HITRUST Cybersecurity Standard Framework (CSF) Certification are recognized for their proactive approach to protecting healthcare data.

The bill also has the backing of the Healthcare and Public Health Sector Coordinating Council (HSCC), which believes the legislation will act as a positive incentive for health providers to increase investment in cybersecurity for the benefit of regulatory compliance and patient safety.

The post House Passes Bill Calling for HHS to Recognize Adoption of Cybersecurity Best Practices When Making Regulatory Determinations appeared first on HIPAA Journal.

CISA: SolarWinds Orion Software Under Active Attack

Posted by HIPAA Journal

The Cybersecurity and Infrastructure Security Agency (CISA) has issued a warning that sophisticated hackers are actively exploiting SolarWinds Orion IT monitoring and management software.

The cyberattack, which is ongoing, is believed to be the work of a highly sophisticated, evasive, nation state hacking group who created a Trojanized version of Orion software that has been used to deploy a backdoor into customers’ systems dubbed SUNBURST.

The supply chain attack has impacted around 18,000 customers, who are understood to have downloaded the Trojanized version of SolarWinds Orion and the SUNBURST backdoor. SolarWinds Orion is used by large public and private organizations and government agencies.

SolarWinds customers include all five branches of the U.S. military, the Pentagon, State Department, NASA and National Security Agency. Its solutions are also used by 425 of the 500 largest publicly traded U.S. companies. The US Treasury, US National Telecommunications and Information Administration (NTIA), and Department of Homeland Security are known to have been attacked. The campaign was first detected by the cybersecurity company FireEye, which was also attacked as part of this campaign.

The attacks started in spring 2020 when the first malicious versions of the Orion software were introduced. The hackers are believed to have been present in compromised networks since then. The malware is evasive, which is why it has taken so long to detect the threat. “The malware masquerades its network traffic as the Orion Improvement Program (OIP) protocol and stores reconnaissance results within legitimate plugin configuration files allowing it to blend in with legitimate SolarWinds activity,” according to FireEye. Once the backdoor has been installed, the attackers move laterally and steal data.

“We believe that this vulnerability is the result of a highly-sophisticated, targeted, and manual supply chain attack by a nation-state,” said Kevin Thompson, SolarWinds President and CEO.

The hackers gained access to SolarWinds’ software development environment and inserted the backdoor code into its library in SolarWinds Orion Platform software versions 2019.4 HF 5 through 2020.2.1 HF 1, which were released between March 2020 and June 2020.

CISA issued an Emergency Directive ordering all federal civilian agencies to take immediate action to block any attack in progress by immediately disconnecting or powering down SolarWinds Orion products, versions 2019.4 through 2020.2.1 HF1, from their networks. The agencies have also been prohibited from “(re)joining the Windows host OS to the enterprise domain.”

All customers have been advised to immediately upgrade their SolarWinds Orion software to Orion Platform version 2020.2.1 HF 1. A second hotfix – 2020.2.1 HF 2 – is due to be released on Tuesday and will replace the compromised component and implement other additional security enhancements.

If it is not possible to immediately upgrade, guidelines have been released by SolarWinds for securing the Orion Platform. Organizations should also scan for signs of compromise. The signatures of the backdoor are being added to antivirus engines, and Microsoft has confirmed that all its antivirus products now detect the backdoor and users have been advised to run a full scan.

SolarWinds is working closely with FireEye, the Federal Bureau of Investigation, and the intelligence community to investigate the attacks. SolarWinds is also working with Microsoft to remove an attack vector that leads to the compromise of targets’ Microsoft Office 365 productivity tools.

It is currently unclear which group is responsible for the attack; although the Washington Post claims to have spoken to sources who confirmed the attack was the work of the Russian nation state hacking group APT29 (Cozy Bear). A spokesperson for the Kremlin said Russia had nothing to do with the attacks, stating “Russia does not conduct offensive operations in the cyber domain.”

The post CISA: SolarWinds Orion Software Under Active Attack appeared first on HIPAA Journal.

Serious Vulnerabilities Identified in Medtronic MyCareLink Smart Patient Readers

Posted by HIPAA Journal

Three serious vulnerabilities have been identified in Medtronic MyCareLink (MCL) Smart Patient Readers, which could potentially be exploited to gain access to and modify patient data from the paired implanted cardiac device. Exploitation of the vulnerabilities together could permit remote code execution on the MCL Smart Patient Reader, allowing an attacker to take control of a paired cardiac device. In order to exploit the vulnerabilities, an attacker would need to be within Bluetooth signal proximity to the vulnerable product.

The flaws are present in all versions of the MCL Smart Model 25000 Patient Reader. The first vulnerability, tracked as CVE-2020-25183, is an authentication protocol vulnerability. The method used to authenticate the MCL Smart Patient Reader and the Medtronic MyCareLink Smart mobile app can be bypassed. An attacker using another mobile device or malicious app on the patient’s smartphone could authenticate to the patient’s MCL Smart Patient Reader, tricking it into believing it is communicating with the patient’s smartphone app. The vulnerability has been assigned a CVSS v3 base score of 8.0 out of 10.

A heap-based buffer overflow event can be triggered in the MCL Smart Patient Reader software stack by an authenticated attacker running a debug command. Once triggered, an attacker could then remotely execute code on the vulnerable MCL Smart Patient Reader, potentially allowing the attacker to take control of the device. The vulnerability is tracked as CVE-2020-27252 and has been assigned a CVSS v3 base score of 8.8 out of 10.

MCL Smart Patient Readers are also vulnerable to a race condition in the software update system, which could be exploited to upload and execute unsigned firmware on the Patient Reader. This vulnerability could also allow remote execution of arbitrary code on the MCL Smart Patient Reader and could give an attacker control of the device. The flaw is tracked as CVE-2020-27252 and has been assigned a CVSS v3 base score of 8.8 out of 10.

The vulnerabilities were identified by researchers at the Israeli firm Sternum, with UC Santa Barbara, University of Florida, and University of Michigan researchers independently identifying the improper authentication vulnerability.

The flaws were reported to Medtronic which has now released a firmware update to fix the vulnerabilities. The firmware update can be applied by updating the MyCareLink Smartapp via the associated mobile application store. Updating to mobile application version v5.2 will ensure the update is applied on the next use; however, in order for the patch to work, the user’s smartphone must be running iOS 10 or above or Android 6.0 or above.

Users have also been advised to maintain strong physical control over their home monitors and to restrict use of the home monitors to private environments. Patients should only use home monitors that have been obtained directly from their healthcare provider or a Medtronic representative.

Medtronic has also taken steps to improve security, including implementing Sternum’s enhanced integrity validation (EIV) technology which provides early detection and real-time mitigation of known vulnerability exploitation attempts, and Sternum’s advanced detection system technology, which enables device-level logging and monitoring of all device activity and behavior.

The post Serious Vulnerabilities Identified in Medtronic MyCareLink Smart Patient Readers appeared first on HIPAA Journal.

Russian State-Sponsored Hackers Exploiting Vulnerability in VMWare Virtual Workspaces

Posted by HIPAA Journal

The U.S. National Security Agency (NSA) has issued a cybersecurity advisory warning Russian state-sponsored hacking groups are targeting a vulnerability in VMWare virtual workspaces used to support remote working.

The flaw, tracked as CVE-2020-4006, is present in certain versions of VMware Workspace One Access, Access Connector, Identity Manager, and Identity Manager Connector products and is being exploited to gain access to enterprise networks and protected data on the affected systems.

The flaw is a command-injection vulnerability in the administrative configurator component of the affected products. The vulnerability can be exploited remotely by an attacker with valid credentials and access to the administrative configurator on port 8443. If successfully exploited, an attacker would be able to execute commands with unrestricted privileges on the operating system and access sensitive data.

VMWare released a patch to correct the vulnerability on December 3, 2020 and also published information to help network defenders identify networks that have already been compromised, along with steps to eradicate threat actors who have already exploited the flaw.

The flaw may not have been given priority by system administrators as it was only rated by VMWare as ‘important’ severity, with a CVSS v3 base score of 7.2 out of 10 assigned to the flaw. The relatively low severity rating is because a valid password must be supplied to exploit the flaw and the account is internal to the impacted products. However, as the NSA explained, the Russian threat actors are already exploiting the flaw using stolen credentials.

In attacks observed by the NSA, the hackers exploited the command injection flaw, installed a web shell, followed by malicious activity where SAML authentication assertions were generated and sent to Microsoft Active Directory Federation Services (ADFS), granting access to protected data.

The best way of preventing exploitation is to apply the VMWare patch as soon as possible. If it is not possible to apply the patch, it is important to ensure that strong, unique passwords are set to protect against brute force attempts to crack passwords. The NSA also recommends administrators ensure the web-based management interface is not accessible over the Internet.

Strong passwords will not prevent the flaw from being exploited and will not provide protection if the flaw has already been exploited. “It is critical when running products that perform authentication that the server and all the services that depend on it are properly configured for secure operation and integration,” explained the NSA. “Otherwise, SAML assertions could be forged, granting access to numerous resources.” If integrating authentication servers with ADFS, the NSA recommends following Microsoft’s best practices, especially for securing SAML assertions. Multi-factor authentication should also be implemented.

The NSA has published a workaround that can be used to prevent exploitation until the patch can be applied and recommends reviewing and hardening configurations and monitoring federated authentication providers.

Unfortunately, detecting exploitation of the vulnerability can be difficult. “Network-based indicators are unlikely to be effective at detecting exploitation since the activity occurs exclusively inside an encrypted transport layer security (TLS) tunnel associated with the web interface,” explained the NSA in the advisory. The intrusion can, however, be identified from server logs that can be found at /opt/vmware/horizon/workspace/logs/configurator.log. The present of an exit statement followed by a three-digit number within the configurator.log suggests the flaw may already have been exploited.

VMWare recommends all customers refer to VMSA-2020-0027 for information on this vulnerability.

The post Russian State-Sponsored Hackers Exploiting Vulnerability in VMWare Virtual Workspaces appeared first on HIPAA Journal.

Critical Vulnerabilities Identified in More Than 100 GE Healthcare Imaging and Ultrasound Products

Posted by HIPAA Journal

Two critical severity vulnerabilities have been identified in GE Healthcare medical imaging devices that allow remote code execution and access/alteration of sensitive patient data. The vulnerabilities affect GE Healthcare’s proprietary management software and impact more than 100 GE Healthcare imaging devices including MRI, Ultrasound, Advanced Visualization, Interventional, X-Ray, Mammography, Computed Tomography, Nuclear Medicine and PET/CT devices.

Affected GE Healthcare Products

Device Product Families
MRI Brivo, Optima, Signa
Ultrasound EchoPAC, Image Vault, LOGIQ, Vivid, Voluson
Advanced Visualization AW
Interventional Innova, Optima
X-Ray AMX, Brivo, Definium, Discovery, Optima, Precision
Mammography Seno, Senographe Pristina
Computed Tomography BrightSpeed, Brivo, Discovery, Frontier LightSpeed, Optima, Revolution
Nuclear Medicine, PET/CT Brivo, Discovery, Infinia Optima, PET Discovery, PETtrace, Ventri, Xeleris

The vulnerabilities were identified by Lior Bar Yosef and Elad Luz of CyberMDX who reported them to GE Healthcare in May 2020. CyberMDX has dubbed the flaws MDHexRay, with both being assigned a CVSS v3 base score of 9.8 out of 10.

The first flaw is due to unprotected transport of credentials across the network and is tracked as CVE-2020-25175. The second flaw is due to the exposure of sensitive system information to an unauthorized control sphere, which could allow exposed/default credentials to be used to access or modify sensitive information.

The CyberMDX researchers found GE Healthcare’s maintenance protocols relied on having certain ports open and accessible to GE Healthcare to allow the devices to be remotely managed over the internet. While it is necessary for credentials to be used for the update and maintenance software, GE Healthcare would only change the default credentials at the request of a customer and the default credentials used by GE Healthcare could be easily found online. It is unclear how many customers requested the default credentials be changed.

Exploiting the vulnerabilities would require an attacker to already be connected to the hospital network. The default credentials could then be used to access vulnerable connected imaging devices and any data stored on the devices. The medical devices could not be accessed over the Internet by unauthorized users who do not have access to a hospital’s internal network. There are no reported cases of the vulnerabilities being exploited in the wild.

GE Healthcare has assessed the vulnerabilities and conducted a risk assessment and determined there are no patient safety concerns; however, the flaws do pose a risk to patient privacy. It would also be possible for an attacker to modify patient data, which could potentially influence the results of certain therapies. Since data only remains on the imaging machines for a limited amount of time before being transferred to PACS, the patient information that could be obtained or modified would be limited.

According to the DHS Cybersecurity and Infrastructure Security Agency (CISA), “If exploited, these vulnerabilities could allow an attacker to gain access to affected devices in a way that is comparable with GE (remote) service user privileges. A successful exploitation could expose sensitive data such as a limited set of patient health information (PHI) or could allow the attacker to run arbitrary code, which might impact the availability of the system and allow manipulation of PHI.”

While there is no patch available to correct the vulnerabilities, it is possible to mitigate the issue by changing the default password; however, that cannot be performed by end users, only by GE Healthcare. GE Healthcare is now notifying its customers and is helping affected customers change the default password and ensure that their product firewalls are set up properly. Customers are also being advised to follow best practices for network management and security. CyberMDX recommends restricting ports 21 (FTP), 22 (SSH), 23 (Telnet), and 512 (REXEC) to listening state.

The post Critical Vulnerabilities Identified in More Than 100 GE Healthcare Imaging and Ultrasound Products appeared first on HIPAA Journal.

COVID-19 Vaccine Cold Chain Organizations Targeted in Global Phishing Campaign

Posted by HIPAA Journal

The Cybersecurity Infrastructure and Security Agency has issued a warning about a global spear phishing campaign targeting organizations in the cold storage and supply chain that are involved with the distribution of COVID-19 vaccines.

Two of the first vaccines to be produced must be kept and low temperatures during storage and transit prior to being administered. The Pfizer/BioNTech vaccine must be kept at -94°F (-70°C) and the Moderna vaccine at -4°F (-20°C), so cold chain organizations are a key element of the supply chain.

At the start of the pandemic, IBM X-Force established a cyber threat task force to track threats targeting organizations involved in the fight against COVID-19. The task force recently published a report about an ongoing spear phishing campaign that started in September 2020 which is targeting organizations supporting the Cold Chain Equipment Optimization Platform program. The program was launched in 2015 by the United Nations Children’s Fund and partner organizations to distribute vaccines worldwide.

Phishing emails have been sent to executives in sales, procurement, information technology, and finance who are likely to be involved in efforts to support the vaccine cold chain. Targeted organizations are believed to be providers of material support to meet the transportation needs within the COVID-19 cold chain.

The phishing emails appear to have been sent by an executive at Haier Biomedical, a Chinese qualified supplier of the Cold Chain Equipment Optimization Platform program. Haier Biomedical is the only complete cold chain provider in the world, so it is an ideal target for impersonation in the campaign.

The emails intercepted by IBM X-Force researchers had malicious HTML attachments that open locally and prompt the recipients to enter their credentials in order to open the file. The captured credentials can then be used to intercept internal communications about the process, methods, and plans to distribute COVID-19 vaccines. Once credentials are obtained, the attackers can move laterally through networks, conduct cyber espionage, and steal additional information for use in further attacks.

IBM reports that the phishing campaign spans 6 countries and, so far, 10 global organizations are known to have been targeted, as well as the European Commission’s Directorate-General for Taxation and Customs Union. Targeted organizations span several industry sectors including energy, manufacturing, software, and information technology. The researchers were unable to confirm the extent to which the campaign has been successful.

Based on the precision targeting of executives in specific global organizations involved in vaccine storage and transport and the lack of a clear path to cash out, the campaign is likely being conducted by a nation state threat actor. IBM X-Force suggests that cybercriminal organizations would be unlikely to invest the time, money, and resources into such a campaign targeting so many global organizations.

IBM X-Force recommends organizations involved in the cold storage and transport chain should take steps to mitigate the risks from phishing including creating and testing incident response plans, sharing and ingesting threat intelligence, assessing their third-party ecosystems, applying a zero-trust approach to security, using multi-factor authentication across the organization, using endpoint protection and response tools, and conducting regular email security awareness training.

In addition to the threat from phishing, organizations involved in the cold storage chain should take steps to protect against ransomware attacks as they will be a likely target over the coming weeks and months. In November, the U.S. based cold storage company Americold Realty Trust was the victim of a cyberattack suspected to have involved the use of ransomware. The company was reportedly negotiating with Chicago Rockford international Airport to assist with the distribution of COVID-19 vaccines.

The post COVID-19 Vaccine Cold Chain Organizations Targeted in Global Phishing Campaign appeared first on HIPAA Journal.

Vulnerabilities in OpenClinic Application Could Allow Unauthorized PHI Access

Posted by HIPAA Journal

Four vulnerabilities have been identified in the OpenClinic application, the most severe of which could allow authentication to be bypassed and protected health information (PHI) to be viewed from the application by unauthorized users.

OpenClinic is an open source, PHP-based health record management software that is used in many private clinics, hospitals, and physician practices for administration, clinical and financial tasks.

A BishopFox Labs researcher has identified four vulnerabilities in the software which have yet to be corrected. The most serious vulnerability involves missing authentication, which could be exploited to gain access to any patient’s medical test results. Authenticated users of the platform can upload patient’s test results to the application, which are loaded into the /tests/ directory. Requests for files in that directory do not require users to be authenticated to the application to return and display the test results.

In order for the test results to be obtained, an unauthenticated user would need to guess the names of the files; however, the BishopFox researcher explained that medical test filenames can be predictable and could be obtained through log files on the server or other network infrastructure. The vulnerability (CVE-2020-28937) can be exploited remotely and has received a high severity rating.

A high severity insecure file upload vulnerability (CVE-2020-28939) was identified which would allow users with administrative or administrator user roles to upload malicious files. The researcher found those users who have rights to enter medical tests for patients could upload files using the /openclinic/medical/test_new.php endpoint, which does not restrict the types of files that can be uploaded to the application. Consequently, it would be possible to upload web shells, which could be used for arbitrary code execution on the application server. A malicious actor with an administrative or administrator user role could obtain sensitive information, escalate privileges, install malicious software, or gain access to the internal network.

The third vulnerability (CVE-2020-28938) is a medium-severity stored cross-site scripting vulnerability that allows application users to force actions on behalf of other users. Measures have been included in the application to prevent cross-site scripting; however, those controls can be bypassed. A low-privileged user could exploit the vulnerability by getting an Administrator to click a malicious link, which could be used to execute a payload that creates a new Administrator account for the low privileged user.

The fourth vulnerability is a low-severity path traversal flaw that could be exploited in a denial of service attack affecting upload functionality. The flaw allows an authenticated attacker to write files to the application server’s filesystem.

Gerben Kleijn, Senior Security Consultant, Bishop Fox, was credited with discovering the flaws. “At the time of this publication there is no version of OpenClinic available that does not suffer from the identified vulnerabilities, and the recommendation is to switch to a different medical records management software,” said Kleijn in a blog post announcing the vulnerabilities.

These are not the first serious vulnerabilities to be identified in OpenClinic this year. In July, an alert was issued by CISA about 12 vulnerabilities in the software, 3 of which were rated critical and 2 high severity.

The post Vulnerabilities in OpenClinic Application Could Allow Unauthorized PHI Access appeared first on HIPAA Journal.